🍯 New Defused Functionality! Automatically collect malware that gets embedded into exploit payloads 🧨 Gradually rolling out to Defused TF honeypots starting tomorrow! Subscribe today 👉 https://t.co/vJlRQ5KUel

Last minute honeypot alert before Christmas 🍯 Major enumeration sweep going on using PROPFIND, a WebDAV-specific HTTP verb. Enumeration happening from multiple IPs all from DigitalOcean servers geolocated in SGP - 159.223.71.35 188.166.219.249 157.230.44.100 139.59.123.216

A great reminder - do a few things and do them well vs we are going to do everything and suck at everything.

🚨 Attacks attempting exploitation of CVE-2025-20393 (Cisco Secure Email zero-day) are now attempting to drop AsyncOS-specific malware onto our honeypots 🍯 It is still unclear if the attacks are genuine - technical details of the vulnerability are not known to date

#FortinetBingo

This is dope

🍯 Multiple vulnerabilities are actively being exploited in Fortinet products! Monitor exploits hitting our honeypots in real time 👉

⚠️A tool has been released for automating the discovery of CVE-2025-20393 targets (Cisco Secure Email zero-day) We are seeing it chained with POST requests to implant C2 servers 🍯 This is likely not the genuine vulnerable path - technical details of the vulnerability are not

Fortigate SSO pathway fingerprinting (CVE-2025-59718) is going on pretty actively... Just tweaked the honeypot responses to be a bit more favourable - lets see if we can tease out more actions from some of these actors 🍯

pov: you launched your 0day exploit on a random server but it’s @DefusedCyber honeypot and now your bug is burned

0-Day Alert 🚨 Cisco warns of *unpatched* actively exploited zero-day in multiple Cisco Email Security products (CVE-2025-20393) We have just launched an Cisco ESA honeypot stream for monitoring - available now for Defused TF subscribers! 🍯 👉 https://t.co/GXFaqghsXI

No malware. Just RCE -> reverse shell -> C2. Source domain taken down ? Well, infra still up and VT or EDR won't help This is real‑world initial access tradecraft baby! Observed on @DefusedCyber cc @SimoKohonen #OffensiveSecurity #CTI #RedTeam

This may be the coolest thing ive built yet Running live on one honeypot now and seems to work nicely. Will take a bit to update the full fleet but we’ll get there 🍯

https://t.co/kz2RF0Ja6M

🚨 CVE-2025-59718 (FortiCloud SSO login bypass) exploitation is under way - at least 7 different IPs exploiting our Fortinet honeypots over the weekend Example (decoded) payload: <samlp:Response xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_bypass1337"

🚨 React has disclosed two new, additional vulnerabilities to the critical RCE vuln of last week - CVE-2025-55183 and CVE-2025-55184. Patches are available and urged to be applied immediately. Track live attacks against React honeypots 👉 https://t.co/GXFaqggV8a

Public accountability post: there will be a cool @DefusedCyber release on Monday (stuck in overoptimization land again)

🚨 Critical (CVSS 9.9) RCE vuln in SAP Solution Manager (CVE-2025-42880) allows an authenticated attacker to execute code. We have added it as a honeypot stream into Defused TF. 🍯 This vulnerability does not have a POC yet. Lets go hunting! 👉 https://t.co/0KmalJdGuV

Good to find an explanation why some madman threw thousands of random SOAP exploits at Ivanti honeypots today

Monitor threat intelligence for Ivanti-based attack vectors on Defused 👉 https://t.co/GXFaqggV8a